• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
AplusWebMaster

Another "Storm" Wave

76 posts in this topic

Interesting site - "Storm Tracker":

 

> http://www.trustedsource.org/TS?do=threats...o=storm_tracker

Daily New Web Proxy IPs

Most Active Storm Web Proxy IPs

Top Storm Domains

Newly Activated Storm Web Proxy IPs

Recently Seen Storm Web Proxy IPs

Geolocation of Storm Web Proxy IPs

 

.

Share this post


Link to post
Share on other sites

FYI...

 

New Storm tactic: Medical spam sites

- http://www.websense.com/securitylabs/blog/....php?BlogID=170

Jan 29 2008 - "... the Storm worm has changed spamming tactics. Spam sent by infected hosts contain links of the format:

http ://(IP address)/(short random directory name)

These links redirect users to medical spam sites, but the links are still infected at the root level (e.g. http ://IP address/). The redirects help these medical spam sites attempt to evade spam filters..."

 

- http://blog.trendmicro.com/storm-now-serving-bad-medicine/

January 31, 2008

 

(Screenshots available at both URLs above.)

 

:ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

- http://www.marshal.com/pages/newsitem.asp?...thesection=news

31 January 2008 – "...Storm is one of five botnets that we have been monitoring that we believe are responsible for approximately 75 per cent of all spam in circulation. One particular botnet which heavily promotes a certain brand of male enhancement pills accounts for nearly 30 per cent. This one bot has already exceeded Storm’s records and it has done it quietly without attracting too much attention. This might signal a new strategy by some of the spam crews to try and draw less attention to themselves through high profile email campaigns... It is also possible that the individuals behind the Storm botnet are responsible for one or more of these new botnets. These people are smart and one lesson they may have learned from Storm is to stay under the radar if they want to remain successful. There is a lot of crossover with the products being promoted by all five of these botnets. This could indicate some sort of connection between them...”

 

- http://preview.tinyurl.com/2zlwao

February 4, 2008 (Computerworld) - "...Mega-D has borrowed a few tricks from Storm, such as operating in Asian countries typified by high broadband penetration and poor use of anti-virus, using Trojans to dodge signature-based removal techniques and proliferating over peer-to-peer networks... Mega-D has targeted Facebook users with a fake invites that downloads the Trojan using a phony Flash Player update. More than 70 percent of global spam is sent from botnets Mega-D, Pushdo, HTML, One Word Sub and Storm..."

 

- http://www.marshal.com/trace/traceitem.asp?article=510

February 4, 2008

 

:ph34r: :ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

Eye on the botnets...

 

- http://www.darkreading.com/document.asp?do...&print=true

FEBRUARY 4, 2008 - "A new peer-to-peer (P2P) botnet even more powerful and stealthy than the infamous Storm has begun infiltrating mostly U.S.-based large enterprises, educational institutions, and customers of major ISPs. The MayDay botnet can evade leading antivirus products, and so far has compromised thousands of hosts, according to Damballa, which says 96.5 percent of the infected machines are in the U.S., and about 2.5 percent in Canada. Damballa first hinted of this potential successor to Storm late last year... The botnet uses two forms of P2P communications to ensure it can talk to its bots, including the Internet Control Message Protocol (ICMP)... Damballa is not sure why AV engines aren't detecting MayDay's malware... The infection comes in the form of what appears to the victim to be an Adobe Reader executable, but is actually the malware...

As for Storm, researchers are now looking at whether another spam-spewing botnet, called Mega-D, is somehow related to Storm. Researchers from U.K.-based security vendor Marshal over the weekend blogged about Mega-D overshadowing Storm in spam delivery, with 32 percent of all spam they caught in their filters versus only 2 percent from Storm, which they say previously had accounted for 20 percent of the spam. Mega-D mostly spams male sexual enhancement drugs, according to Marshal...

So far, MayDay is mostly ordering its bots to send spam runs, he says. It also sends accounting information back to the command and control servers on the success of the spam runs, so it appears relatively businesslike. Meanwhile, Damballa is working on reverse-engineering the ICMP communications, which are encrypted, Cox says."

 

- http://asert.arbornetworks.com/2008/02/meg...mbot-follow-up/

February 5, 2008 - Mega-D Spambot Follow-up

 

- http://asert.arbornetworks.com/2008/02/sec...rojan-analysis/

February 11, 2008 - "Enabled by some spam samples Marshal provided, Joe Stewart and the good folks @SecureWorks, with an assist from Team Cymru and my|NetWatchman, have identified the malware and botnet referred to as Mega-D. It turns out Mega-D is composed of bots from the little-known Ozdok malware family. Joe provides some analysis on scale and distribution of the botnet here*, as well as some detailed bits on behaviors of the Trojan itself..."

* http://www.secureworks.com/research/threat...k/?threat=ozdok

February 11, 2008

 

:ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

Storm Worm Valentine's Day Update

- http://www.shadowserver.org/wiki/pmwiki.ph...lendar.20080210

February 10, 2008 - "...Storm Worm has once again undergone another change as Valentine's Day is approaching. Fresh with 8 different rotating Valentine's Day images and a new executable named valentine.exe (may sound familiar), the Storm Worm may be gearing up for a new round of assaults on inboxes. It would appear that the domains are no longer serving up wildcard .gif files related to their stock spams. Instead we have eight .gif images ranging from 1.gif on up to 8.gif. After a few moments you'll be prompted to download the binary... a peak at the 8 images..."

 

- http://blog.trendmicro.com/storm-sure-loves-everybody/

February 11. 2008 - "...The spammed email messages are just plain text, but these contain links that lead to malicious Web sites displaying one of eight cute Valentine images..."

 

(Screenshots available at the URL's above.)

 

:ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

Stormworms spammy love notes

- http://isc.sans.org/diary.html?storyid=3979

Last Updated: 2008-02-12 22:42:30 UTC - "We received several reports of spam containing Subject lines such as: “Sweetest Things Aren’t Things!, Valentine’s Day, The Love Train” and other similar subject lines. These all included a URL that just an IP Address. Those URLs lead to binaries named valentine.exe. The MD5 on the binaries is changing rapidly so AV detection based on MD5 or other hash values is not reliable. We submitted one version to virustotal. 12/31 of the av engines there recognized it. Valentine.exe is a new version of storm worm... Jose Nazario of Arbornetworks has some additional about this at:

http://asert.arbornetworks.com/2008/02/new...s-day-campaign/ ..."

"...Poor AV detection (via VirusTotal), but humans can spot this a mile away."

 

:ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

Botnet wars?

- http://blog.trendmicro.com/rtkt_pushuac-rootkit-remover/

February 27, 2008 - "A malware removes rootkits? There has to be a catch here. Our recent analysis of RTKT_PUSHU.AC reveals that this component of WORM_NUWAR, TROJ_PUSHDO/TROJ_PANDEX malware families removes previously installed rootkits by other malware but then infects the system with its own rootkit components..."

 

 

:ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

Storm Reactivating

- http://www.f-secure.com/weblog/archives/00001392.html

March 3, 2008 - " We haven't seen new Storm sites since the spam run they did over Valentine's Day… until early this morning. Right now they are sending a wide variety of mails regarding ecards... Depending on what you do, you end up with either e-card.exe (clicking the picture), e-card.exe (clicking the link) or postcard.exe (waiting for a few seconds). The files are variable but they always do the same thing: infect your system with the latest Storm/Zhelatin variant..."

(Screenshots available at the F-secure URL above.)

 

- http://isc.sans.org/diary.html?storyid=4054

Last Updated: 2008-03-03 08:18:58 UTC - "...Well, Storm is back, and back to generic e-Card spam... some Subjects and Contents to watch for:

 

Subject:

Your ecard joke is waiting

You have an ecard

We have a ecard surprise

Someone Just sent you an ecard

Did you open your ecard yet

ecard waiting for you

Open your ecard

new ecard waiting

Now this is funny

online greeting waiting

sent you an ecard

 

Body:

laughing Funny Card

You have been sent a Funny Postcard

You have been sent the Funny Ecard

original Funny Card

Someone Sent you this Funny Ecard

your funny postcard

original Funny Postcard

sent a Funny Postcard

personal funny postcard

FunnyPostcard

laughing funny postcard

 

Watch your inbox, and lets hope the AV vendors jump on this quickly."

 

:grrr::ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

- http://www.f-secure.com/weblog/archives/00001410.html

March 31, 2008 19:45 GMT - " A wave of April Fool's Day related Storm (e)mails have just been sent out. Similar as the other times with a link that points to an IP address... if you receive one of these emails, don't click on the link."

(Screenshots available at the URL above.)

 

- http://isc.sans.org/diary.html?storyid=4222

Last Updated: 2008-03-31 21:00:07 UTC - "...Again a various list of subjects come with this release:

All Fools' Day

Doh! All's Fool.

Doh! April's Fool.

Gotcha!

Gotcha! All Fool!

Gotcha! April Fool!

Happy All Fool's Day.

Happy All Fools Day!

Happy All Fools!

Happy April Fool's Day.

Happy April Fools Day!

Happy Fools Day!

I am a Fool for your Love

Join the Laugh-A-Lot!

Just You

One who is sportively imposed upon by others on the first day of April

Surprise!

Surprise! The joke's on you.

Today You Can Officially Act Foolish

Today's Joke!

...The download is a binary, also with varying names:

foolsday.exe *

funny.exe

kickme.exe

...Virus coverage is poor* with the samples we've captured, but we're working with the AV vendors to improve that..."

 

* i.e.: http://www.virustotal.com/analisis/4d97cff...95081c150afb4cd

File foolsday.exe received on 03.31.2008 21:16:16 (CET)

Current status: finished

Result: 6/32 (18.75%)

 

:grrr::ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

More...

 

April Storm’s Day Campaign

- http://asert.arbornetworks.com/2008/03/apr...ms-day-campaign

March 31, 2008 - "...here are the specifics for this variant:

* Peerlist: C:\WINDOWS\aromis.config

* Installs as: C:\WINDOWS\aromis.exe

* As always, listens on a random UDP port, makes a lot of outbound connections, allows itself to the firewall via “netsh firewall set” and via the registry, uses w32tm to update its clock, and so on."

 

:grrr::ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

- http://blog.trendmicro.com/storm-now-on-video/

April 8, 2008 - "...only days after re-professing its love to unsuspecting users via blog pages, the Storm malware is at it again, this time posing as a video codec. TrendLabs researchers discovered several sites that offer, what looks like, a YouTube-look-alike streaming video. The infection vector and messaging is actually still the same, that is, users are most likely to access this site via links on specially crafted, love-themed blogs. What is interesting this time is that on the said site, users are required to download the so-called Storm Codec in order to view the said video. Yes, you read that right: the codec is called Storm Codec... Is that blatant enough? Of course, the said “codec” is actually a NUWAR/Storm variant, which Trend Micro already detects as WORM_NUWAR.JQ... If the social engineering tactic of using video codecs is familiar, it’s because it is — ZLOB Trojans became infamous because of it... the Storm gang’s attempt to venture into the said codec “business” has our researchers speculating whether they are now in cahoots with the ZLOB authors, or that they are trying to take over ZLOB’s niche, much like they did with STRATION when the two first started battling it out late 2006..."

 

(Screenshot available at the URL above.)

 

:ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

- http://preview.tinyurl.com/4swsc8

May 5, 2008 (Symantec Security Response Weblog) - "No sooner had various agencies commented on the reduction of the size of the Storm network than we started seeing signs of another wave of malware in the offing. We are currently tracking some fast-flux domains related to Trojan.Peacomm (a.k.a. Storm). These domains were registered just a few days ago. Simply visiting the sites presents the user with a blank page; however, modifying the URLs to access a specific file runs a script which attempts to exploit several different vulnerabilities... The domains being tracked are not currently being linked to. This could mean that either the sites are still under development, or that the authors are planning to use a different technique to spread their creations. If the reason is the former, then a spam wave should be expected in the coming days and this upcoming Mother’s Day could be used as a lure... Only time will allow the method employed in this wave of attacks to be confirmed. This is definitely an interesting development in the story of the Storm worm. We urge users to keep their antivirus product signatures up to date. Although it is important to ensure that operating system patches are up-to-date, most of the vulnerabilities being targeted by this malware are related to third-party products*..."

 

(More detail at the URL above.)

 

* Test 3rd party software here: http://secunia.com/software_inspector/

 

:ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

New Storm tactic

- http://sunbeltblog.blogspot.com/2008/06/ne...orm-tactic.html

June 02, 2008

(Screenshot available at the Sunbelt blog URL above.)

 

- http://isc.sans.org/diary.html?storyid=4516

Last Updated: 2008-06-02 21:11:49 UTC - "New Stormworm download site... 122.118.131.58 is being spammed out with a message that states: 'Crazy in love with you'

hxxp ://122 .118 .131 .58

I checked that site and could only find an index.html, lr.gif and loveyou.exe. lr.gif is a gif file that says 'love riddles'. Index.html encourages visitors to run loveyou.exe by asking ‘Who is loving you? Do you want to know? Just click here and choose either “Open” or “Run”’. loveyou.exe is a version of Trojan.Peacom.D aka Stormworm. I recommend you block this ip address till it gets cleaned up."

 

Look for your AV updates shortly...

 

:ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

- http://blog.trendmicro.com/storm-meddles-i...s-of-the-heart/

June 3, 2008 - "...A new trickle of Storm-related spam has been seen, again hewing to themes of love and romance. Perhaps said authors believe this run will be a runaway success, since June is widely held as the most popular month for weddings?... email subjects read “Stand by my side,” “I want to be with you,” and “Lucky to have you”—simple statements dripping with sincerity, or so spammers hope, to get unsuspecting users hooked. The said subject lines differ from the one-liners that make up the message body, alongside malicious IP addresses that don’t bother to ask users to click on them. But if the curious do click on these, they are redirected... This is where they are then asked to “click here” and choose “Open” or “Run”—but not before they are made to read teasers hinting of secret admirers: “Who is loving you? Do you want to know?” And if they dare to find out, the “secret admirer” turns out to be a file named LOVEYOU.EXE, which Trend Micro detects as WORM_NUWAR.BC. Heart-related themes have been used time and again as spam baits. Because of its popularity, this is a theme that will probably last a lifetime, if users continue to fall for its schemes..."

(Screenshots available at the URL above.)

 

- http://www.f-secure.com/weblog/archives/00001452.html

June 4, 2008 - "Despite reports of Storm being killed off, it's still very much alive... While the Storm botnet certainly isn't as big as it used to be, it's definitely one of the most persistent botnets we've ever seen… and we've not seen the last of it."

 

:shock:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

New Storm Worm Variant Spreading

- http://www.us-cert.gov/current/#new_storm_...ariant_spreads2

June 19, 2008 - " US-CERT has received reports of new Storm Worm related activity. The latest activity is centered around messages related to the recent earthquake in China and the upcoming Olympic Games. This Trojan is spread via an unsolicited email message that contains a link to a malicious website. This website contains a video that when opened may run the executable file "beijing.exe" to infect the user's system with malicious code. Subject lines can change at any time, but the following subject lines are noted as being used:

* The most powerful quake hits China

* Countless victims of earthquake in China

* Death toll in China is growing

* Recent earthquake in china took a heavy toll

* Recent china earthquake kills million

* China is paralyzed by new earthquake

* Death toll in China exceeds 1000000

* A new powerful disaster in China

* A new deadly catastrophe in China

* 2008 Olympic Games are under the threat

* China's most deadly earthquake ..."

 

- http://www.f-secure.com/weblog/archives/00001457.html

June 19, 2008

(Screenshots available at the F-secure URL above.)

 

- http://www.sophos.com/security/blog/2008/06/1500.html

19 June 2008 - "...the .cn domains linked by the spam messages are likely part of a botnet. Each query to the nameservers for these domains returns a different IP address, indicating fast-flux behavior. The domains also serve webpages using the same web server seen in a number of botnet campaigns..."

 

:grrr::ph34r::evilgrin:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

- http://www.f-secure.com/weblog/archives/00001459.html

June 20, 2008 - "... big increase in emails going around with all sorts of interesting subjects... long list of different subjects - too long to list them all here so we've put them in a downloadable TXT file* instead. All mails contain a link to different compromised sites which all contain the same fake Porntube page. Once there the page shows an error message telling the user that they need to install a Video ActiveX component. The file that gets downloaded is spam trojan that sends out lots of emails with links pointing back to the compromised sites... The list of compromised sites is pretty extensive as well, we've been able to identify 74 different sites so far whereof only a handful have been fixed... the file that gets downloaded, video.exe..."

 

* http://www.f-secure.com/weblog/archives/ag...yw_subjects.txt

 

:grrr::ph34r:

Share this post


Link to post
Share on other sites

FYI...

 

Fast Flux and New Domains for Storm

- http://asert.arbornetworks.com/2008/06/fas...ains-for-storm/

June 28, 2008 - "...some of our ATLAS fast flux data*... Storm Worm has begun using new fast flux domains... Storm has changed its tactics constantly in the past year and a half, and this “love theme” is nothing new. We’ll see how long this theme lasts.

UPDATE 1 July 2008 - Here’s a full list of domains:

superlovelyric.com NS ns.verynicebank.com

bestlovelyric.com NS ns.verynicebank.com

makingloveworld.com NS ns.verynicebank.com

wholoveguide.com NS ns.verynicebank.com

gonelovelife.com NS ns.verynicebank.com

loveisknowlege.com NS ns.verynicebank.com

lovekingonline.com NS ns.verynicebank.com

lovemarkonline.com NS ns.verynicebank.com

makingadore.com NS ns.verynicebank.com

greatadore.com NS ns.verynicebank.com

loveoursite.com NS ns.verynicebank.com

musiconelove.com NS ns.verynicebank.com

knowholove.com NS ns.verynicebank.com

whoisknowlove.com NS ns.verynicebank.com

theplaylove.com NS ns.verynicebank.com

wantcherish.com NS ns.verynicebank.com

verynicebank.com NS ns.verynicebank.com

shelovehimtoo.com NS ns.verynicebank.com

makeloveforever.com NS ns.verynicebank.com

wholovedirect.com NS ns.verynicebank.com

grupogaleria.cn NS ns.verynicebank.com

activeware.cn NS ns.verynicebank.com

nationwide2u.cn NS ns.verynicebank.com ..."

 

* http://atlas.arbor.net/summary/fastflux

"Fastflux hosting is a technique where the nodes in a botnet are used as the endpoints in a website hosting scheme... Many different kinds of botnets use fastflux DNS techniques, for malware hosting, for illegal content hosting, for phishing site hosting, and other such activities. These hosts are likely to be infected with some form of malware..."

 

Also see "Top Storm Domains":

- http://www.trustedsource.org/en/threats/storm_tracker

 

:!: :grrr::ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

Storm Botnet ...Fireworks

- http://isc.sans.org/diary.html?storyid=4669

Last Updated: 2008-07-04 02:57:16 UTC - "I read about MX Logic's prediction this morning ( http://preview.tinyurl.com/5hlcxb ) that we should expect another wave of Storm Bot recuitment emails likely using the US Independence Day holiday as a lure. This group behind the Storm Botnet has always been concious of timing and shortly after 5pm Eastern time I began to receive reports that a new wave had started. There's nothing very different about this one, it directs the user to click on a link that encourages the intended victim to download fireworks.exe. Gary Warner has a nice starter collection of Subjects, Bodies, and hosting IPs for those who need to set up blocks and filters available here:

http://garwarner.blogspot.com/2008/07/stor...ion-on-4th.html

I'm sure that the list will continue to grow. I'd recommend that you play it safe by blocking all attempts to download fireworks.exe at your perimeter..."

 

- http://securitylabs.websense.com/content/Alerts/3131.aspx

07.04.2008 (Screenshots...)

 

:ph34r:

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

New Storm Worm Variant Spreading

- http://www.us-cert.gov/current/#new_storm_...rient_spreading

July 9, 2008 - "US-CERT has received reports of new Storm Worm activity. The latest activity uses messages that refer to the conflict in the Middle East. This Trojan is spread via unsolicited email messages that contain a link to a malicious website. The website is noted as having the following malicious characteristics which may be used to infect the user's system with malicious code.

* A video that, when opened, may run the executable file "iran_occupation.exe."

* A banner add that, when clicked, may run the executable file "form.exe."

* A hidden iframe linked to "ind.php."

Reports, including a posting by Sophos**, indicate that the following subject lines are being used. Please note that subject lines can change at any time..."

 

** http://www.sophos.com/security/blog/2008/07/1569.html

9 July 2008

 

- http://ddanchev.blogspot.com/2008/07/storm...on-of-iran.html

July 09, 2008

 

Fake news on World War III

- http://securitylabs.websense.com/content/Alerts/3132.aspx

07.09.2008 (Screenshots...)

 

//

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

Reference:

 

AVG - AVI 270.4.9/ 1548

- http://www.grisoft.com/us.news

July 12, 2008

"...new variant of I-Worm/Nuwar..."

 

This -is- a variant of the Storm worm.

 

Other AV defs to follow suit, if they haven't already. Check yours...

 

 

//

Share this post


Link to post
Share on other sites

Once again - same stuff, SAME DAY:

 

AVI 270.4.10/ 1549

- http://www.grisoft.com/us.news

July 12, 2008

"...new variant of I-Worm/Nuwar..."

 

This -is- yet another variant of the Storm worm.

 

Other AV defs to follow suit, if they haven't already. Check yours, again...

 

 

// :-( :-(

Share this post


Link to post
Share on other sites

FYI...

 

New malicious Storm Worm campaign: American currency

- http://securitylabs.websense.com/content/Alerts/3137.aspx

07.22.2008 - "Websense... has discovered a new Storm Worm campaign around the theme of the U.S. credit crunch. We have detected a series of email subject lines used to entice users into downloading a Trojan. Here are a few examples of the subjects we have seen in this campaign:

- The new currency is coming

- Amero arrives

- Amero currency Union is now the reality

- The AMERO currency replacing the Dollar ...

Clicking the link... directs users to a site laden with drive-by exploits inside of a script file... In typical Storm Worm fashion, infection success rate is highly dependant on the social engineering tactic employed and thus the malicious file in this campaign is appropriately named amero.exe."

 

//

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

- http://www.us-cert.gov/current/#new_storm_...ivity_spreading

July 29, 2008 - "US-CERT is aware of public reports of a new Storm Worm Campaign. The latest campaign is centered around messages related to the Federal Bureau of Investigation and Facebook. This Trojan horse virus is spread via an unsolicited email message that contains a link to a malicious website. This website contains a link, that when clicked, may run the executable file "fbi_facebook.exe" to infect the user's system with malicious code. Reports, including a posting by Sophos*, indicate the following email subject lines are being used. Please note that subject lines can change at any time.

- F.B.I. may strike Facebook

- F.B.I. watching us

- The FBI's plan to "profile" Facebook

- The FBI has a new way of tracking Facebook

- F.B.I. are spying on your Facebook profiles

- F.B.I. busts alleged Facebook

- Get Facebook's F.B.I. Files

- Facebook's F.B.I. ties

- F.B.I. watching you ..."

* http://www.sophos.com/security/blog/2008/07/1599.html

 

- http://www.f-secure.com/weblog/archives/00001475.html

July 28, 2008

 

- http://www.virustotal.com/analisis/c167dc2...889ff53f0499231

07.28.2008 - Result: 17/35 (48.57%)

 

- http://www.fbi.gov/pressrel/pressrel08/stormworm073008.htm

July 30, 2008

 

//

Edited by apluswebmaster

Share this post


Link to post
Share on other sites

FYI...

 

- http://blog.trendmicro.com/storm-uses-old-bait/

August 5, 2008 - "The Storm gang is casting its net once again — using “postcards” as bait in a recently discovered spam run... Clicking the link embedded in the message connects the user to the any of the following domains:

* hxxp:// {BLOCKED}cardAdvertising.com/

* hxxp:// {BLOCKED}ettercard.com/

* hxxp:// {BLOCKED}ostcardArt.com/

* hxxp:// {BLOCKED}ostcardmail.com

* hxxp:// {BLOCKED}reetingcard.com/

* hxxp:// {BLOCKED}stcardOnline.com/

* hxxp:// {BLOCKED}ttercard.com/

...When the abovementioned page loads, an auto-redirect occurs after 3 seconds, prompting the user to download a file named postcard.exe... The same file, postcard.exe, is also downloaded if the user clicks on the link save it on the Web page. postcard.exe is detected as TROJ_NUWAR.DDJ... it is plausible that the Storm gang is using this constant change in technique to evade spam and URL filtering blocking. Storm’s has been known to constantly change its employed social engineering technique, the most recent ones being news of terrorists on social networking networks, economic issues, and fake videos of popular celebrities..."

 

(Screenshots available at the Trendmicro URL above.)

 

//

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0